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We construct an explicit minimal strong Grobner basis of the ideal 
of vanishing polynomials in the polynomial ring over Z/m for 
m > 2. The proof is done in a purely combinatorial way. It is a 
remarkable fact that the constructed Grobner basis is independent 
of the monomial order and that the set of leading terms of 
the constructed Grobner basis is unique, up to multiplication 
by units. We also present a fast algorithm to compute reduced 
normal forms, and furthermore, we give a recursive algorithm 
for building a Grobner basis in Z/m[xi, x 2 , . . . , x„] along the 
prime factorization of m. The obtained results are not only 
of mathematical interest but have immediate applications in 
formal verification of data paths for microelectronic systems-on- 
chip. 

© 2010 Elsevier Ltd. All rights reserved. 



1. Introduction 

Although the basic properties of Grobner bases in polynomial rings over a ring C are well 
known (see Adams and Loustaunau, 2003), they have not been studied very much, mainly because 
they were considered as academic, in contrast to the case where the ground ring C is a field. 
Recently however, Grobner basis techniques in polynomial rings over C = Z/m (in particular Z/2 k ) 
have attracted some attention due to their potential applications to proving correctness of data 
paths in system-on-chip design (cf. e.g. Greuel et al„ 2008; Shekhar et al., 2005; Wienand et al„ 
2008). 

When the underlying ring C has only finitely many elements, then there exist polynomials in 
C[xi, X 2 , . . . , x n ] which evaluate^ to zero for all (ui, 02 , ... , a n ) € C n , called vanishing polynomials. 
Thus, any polynomial function f : C n —> C given by an arbitrary element / e C[xi,x 2 , . . . , x„], 
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will have many alternative representations in C[X], x 2 , ... ,x n ], as f =f+g, for all g that constantly 
vanish on C". All vanishing polynomials constitute an ideal / 0 . 

In the applications mentioned above, not the polynomials but only the polynomial functions are 
of interest. Thus, if we want to apply algebraic methods we need to be able to efficiently compute 
normal forms of polynomials with respect to a Grobner basis of J 0 . In the presented paper, we set the 
theoretical ground and provide fast algorithms for doing these computations. 

From a mathematical point of view, I 0 c Z/m[x t , x 2 , . . . , x n ] has some interesting properties. In 
this paper, we will give an explicit minimal strong Grobner basis G m for / 0 . As will turn out, G m is a 
Grobner basis with respect to every global monomial order. Moreover, we will show for any alternative 
minimal strong Grobner basis G of / 0 c Z/m[x ] ,x 2 , ... ,x n ] that the sets of leading terms of G m and 
G are the same up to multiplication by units. This is remarkable, since the ring Z/m has zero divisors. 
In general, the leading terms of two minimal strong Grobner bases of an ideal I c C[xi, x 2 , ... ,x n ] 
need not be related by a unit but only by some element of C. We will prove both properties and show 
also that in general all minimal strong Grobner bases of an arbitrary ideal I c C[X], x 2 , ... , x„] have 
the same number of elements. 

From a practical point of view, as mentioned above, engineering tasks involving the computation 
of Grobner bases over finite rings will often need to deal with vanishing polynomials. This is due to 
the fact that normally the elements of a Grobner basis G will be used to decide the consistency of a 
mathematical model. And typically, such a check involves the question whether the set of zeros of 
all polynomials / e G coincides with the set of all feasible input-output vectors of the modelled 
artifact; see also Greuel et al. (2008). Our interest was specifically spurred by a cooperation with 
the local Electronic Design Automation Group in which we use Grobner bases to formally verify chip 
designs. More precisely, a given verification task is translated into a polynomial ideal in Z/2 fc , where 
typically /< = 32 or k = 64; cf. Wienand (in preparation). For the special case of polynomial datapath 
verification we also refer to Wienand et al. (2008) in which it was shown that the Grobner basis 
approach proves tractable for industrial applications where standard property checking techniques 
failed. 

This paper is organized as follows. Section 2 briefly recalls the basic concepts from the theory of 
polynomial rings and Grobner bases needed later. Section 3 starts by presenting canonical members 
of the ideal of vanishing polynomials I 0 c Z/m[xi, x 2 , .... x n ]. Next we show that the leading 
term of any given vanishing polynomial is divisible by the leading term of an appropriate canonical 
member. This relation enables us to finally construct an explicit minimal strong Grobner basis G m of 
l 0 c Z/m[xi , x 2 , . . . , x n ]. We also show that the size of G m is of polynomial order of degree k in the 
number of variables n, when we are in the practically relevant case m = 2 k . 

The theoretical results are followed by algorithms for computing reduced normal forms 
with respect to the constructed basis, and for recursively computing a Grobner basis of I 0 c 
Z/m[xi,x 2 , . . . ,x„] along the prime factorization of m. The normal form algorithm has been 
implemented in the computer algebra system SINGULAR (Greuel et al., 2009) and successfully applied, 
(Wienand et al., 2008). 



2. Preliminaries 

Let C be a commutative, noetherian ring with 1, and C[x] := C[xi,x 2 , . . . ,x n ] a multivariate 
polynomial ring over C, where n > 1. For any multi-index a = (aq , . . . , a n ) e {0, 1, 2, ...}", a 
product of variables x" := x“' • • • x“" is called a monomial, and a product a • x" with a e C is called a 
term. 

Given two multi-indices a = (aq, . . . , a n ), p = (Pi , ..., p n ), we define a ± p := (aq ± 
Pi, . . . , a n ± p n ). We may compare a and p according to the predicate a < P Vi e {1, . . . , n} : 
<*i < Pi, and similarly a -< p a < p A a ^ p. For a = (oq, . . . , a„) e {0, 1, 2, . . .}", we write 
a! := aq! • • -a n !, and |a| := aq + F a n . 

Moreover, we require the polynomial ring C[x] to be equipped with a global monomial order 
<, i.e., < is a well-order on the set of monomials and satisfies x“ > x^ =F x" +y > x^ +y for all 
a, P, y € {0, 1, 2, . . .}". Then < refines the partial order 
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Since we are going to work with divisibility in Z/m[xi, x 2 , . . . ,x n ], we need to distinguish between 
divisibility in Z/m and in Z. We set a|^ b :<s> 3k e Z : b = a ■ k and a| b :<s> 3 k s Z : m \ (b — a ■ k), 
that is, b and a ■ k represent the same residue class in Z/m. For two monomials ax", bx^, we say that 
ax" divides bx p , if a| b A a < /3. We then write ax" \bx p , using the ordinary symbol. 

Let/ = a 0 ■ x" <0 ’ + • • • + ah ■ x a ' k> be a polynomial in C[xi, x 2 , . . . , x n ] with a,- ^ 0 for 0 < i < k, 
andx"' 01 > x" 11 ’ > ••• > x“ <kl . We use the following notation: 



deg(f) = max{|a w | | 0 < i < kj 
LT ( f) = a 0 ■ x"' 01 
LM (f) = x" <0) 

LC (f) = a 0 

L (A) = (LT (f) |/£A) c[I1iX2 <n] 



total degree of/, 

leading term of/, 

leading monomial of/, 

leading coefficient of/, 

leading ideal of A, 

for A c C[xi, x 2 , . . . , x n ], A^0. 



For an ideal / c C[x 1; x 2 , . . . , x n ] a finite set G c C[xi, x 2 , . . . , x n ] is called a Grobner basis of I if 
Cd, and L(/) = L(G). 

That is, G is a Grobner basis, if the leading terms of G generate the leading ideal of I. Note that in 
general, all defined objects depend on the chosen monomial order. Especially, a set G may be a Grobner 
basis only with respect to a certain monomial order. We also remind the reader that with the given 
definition, G already generates /, cf. Adams and Loustaunau (2003). 

G is furthermore called a strong Grobner basis if for any / e /\{0} there exists a polynomial g e G 
satisfying LT (g) |LT (f). A strong Grobner basis G is called minimal strong if LT (gi) f LT (g 2 ) for all 
distinct gi , g 2 e G. It is a well known fact that a strong Grobner basis can always be constructed from 
a given Grobner basis when C is a principal ideal domain, see e.g. Adams and Loustaunau (2003). 

Note that if C is a field, any non-zero coefficient of a term is invertible in C, and thus L (A) = 
(LM (f) | / e A). It is easy to verify that in this case every Grobner basis is a strong Grobner basis. As 
the following example shows, this does in general not hold when C is a ring: 

Example 2.1. Consider C := Z/6, and the polynomial ring C[x] with one variable. Then G := {2x, 3x} 
is a Grobner basis of the ideal I := (x). But since neither 2x nor 3x divide x, G is not a strong Grobner 
basis. 

We shall now capture the central notions of this paper. 

Definition 2.2. To any polynomial / e C[xi, x 2 , ..., x n ] we associate the polynomial function/ : 
C n —> C, (ci, c 2 , . . . , c n ) i — > /(ci, c 2 , . . . , c n ). We call/ a vanishing polynomial if the function/ is 
identically zero. 

The set J 0 = {/ e C[xi, x 2 , . . . , x n ] | / is a vanishing polynomial} is obviously an ideal in 
C'|X| , x 2 , . . . , x n ], called the ideal of vanishing polynomials. 



3. A minimal strong Grobner basis of the ideal of vanishing polynomials 



3.1. The ideal of vanishing polynomials 

From now on let the coefficient ring be C = Z/m, where m > 2, except stated otherwise. The 
following results were inspired by the work of Singmaster (1974), Kempner (1921), Halbeisen et al. 
(1999), and Hungerbiihler and Specker (2006). Already in Lemma 5 of Kempner (1921), a univariate 
version of the following lemma was proven. Theorem 7 of Halbeisen et al. (1999) restated this result, 
and Hungerbiihler and Specker (2006) came up with a generalization to multivariate polynomial rings 
over Z/m. 

Lemma 3.1. Let a e Z and a = («],... , a n ) e Njj such thatm |._ aa\. Then 

n ocj 

Pa, a : =ann<*-0 e Z / m [*l, ...,X n ] 

2=1 /= 1 

is a vanishing polynomial. 
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Proof. Fix an arbitrary point (cj, c 2 , . . . , c n ) e C n . Then p a , a (c 1 , c 2 , . . . , c n ) contains, for all i, by 
definition the a, successive factors q — 1, q — 2, . . . , c, — a,-. Independent of the value of q, these 

contain all factors from 2 up to a,. Therefore, a,! divides p ff , a (ci, c 2 , c„), for all i. By combining 

these results, it follows immediately that acq! •••«„! divides p a , a (cu c 2 , , c n ). With m| T aa! this 
yields p a , a (c\, c 2 , . . . , c„) = 0 modulo m. □ 

Let us now take a closer look at an arbitrary vanishing polynomial: 

Lemma 3.2. Letf el 0 C Z/m[x i,x 2 , . . . , x„] be an arbitrary vanishing polynomial with LT (f) = tad*. 
Then m |_ bj3!. 

For the proof we use some of the ideas introduced in Hungerbiihler and Specker (2006), which are 
based on the notion of partial differences in the multivariate setting. Already Carlitz used partial 
differences in the univariate case, see Carlitz (1964), to give a necessary and sufficient condition for a 
function/ over Z/p k to be a polynomial function. 1 

Proof. Let C[xi, . . . , x n ] denote an arbitrary polynomial ring over n > 1 variables, and let h e C[x] 
be a polynomial. Then we may define the ith partial difference 

V,h := h(x i, . .. + 1,x i+1 , . . . , x n ) - h(x u . . . , x,_i, x ; , x i+1 , . . . ,x n ), 

for 1 < i < n. Note that V,- is a linear operator. 

Now we can define the successive application of the operator by 

V°h := h, and V, fc+1 h := V.Vfh, for k > 0. 

(For n = 1, V k h coincides with Carlitz’ A k h ; see Carlitz, 1964.) 

Since obviously, VjVjh = fi(xi, . . . , x, + 1, ... ,xj + 1, . . . , x n ) — h(Xj , . . . , x, + 1, . . . , x„) — 
h(x i, . . . , Xj + 1, . . . ,x„) + h(xi, ...,x n ) = VjVjh. for all i.j e {1, . . . , n}, we can extend the operator 
to arbitrary multi-indices, that is, with a = (aq, . . . , a n ) e {0, 1,2,.. .}", the term 

V a h := V“'V“ 2 ... V“"/i 

is independent from the order of application of the V,- operators and hence well-defined. 

Let us consider the difference (x,- + l) f< — xj 1 = k ■ Xj 1 + g(Xj), where g consists of lower terms 
only, that is, deg (g) < k — 1 . A simple induction shows that V k x k = k! and Vjx k = 0, whenever j > k. 
Let now ax a := LT (h) denote the leading term. Then, mainly due to the linearity of the V,- operators, 
it is easy to see that the previous facts can be further abstracted to the general statements 

V a h = aa\ and V^h = 0, for all ft > a. 

We apply the first equation to the vanishing polynomial/ over the ring Z/m: With/ also V^f = bfi\ 
must be a vanishing polynomial, by construction. But this implies t>/3 ! = 0 modulo m. □ 

3.2. A minimal strong Grobner basis ofI 0 

The above lemmas suggest to consider the set of all polynomials p a a for which neither a nor a can 
be replaced by a smaller multi-index or element of Z/m, respectively, without losing the condition 
m\^aal. (This minimality of a has been inspired by the so-called Smarandache function which maps 
m to min{k e N | m |_ /<!}. This function played a role in previous works which studied the univariate 
case, and had been named after Smarandache, see Smarandache (1980), although the idea had been 
introduced earlier by Kempner in Definition 1 of Kempner (1921).) We thus define 

S m := {(a, a) \ \ < a < m, a \^m, a e Nj, m|^aa!, 

V P < a : m\ z a/3l, 

V b < a. b\ a : m\ ba!}, 

Gm - = {Pa,a I ^ -^m}- 



^ I.e.,/(a) = g(a) mod p k , for all a e Z /p k and some polynomial g e Z/p k [x\. 



G.-M. Greuel et al. / Journal of Symbolic Computation 46 ( 201 \ ) 561-570 



565 



Note that, according to Lemma 3.1, all polynomials in G m will still be elements of / 0 . And by Lemma 3.2, 
we can hope to have constructed a strong Grobner basis. 

Theorem 3.3. Let m > 2 and n > 1 be arbitrary integers. With the above notations, G m is a minimal 
strong Grobner basis of the ideal of vanishing polynomials I 0 c Z/m[xi, x 2 , . . . , x n ], independent of the 
global monomial order. 

Before we prove the theorem, let us take a look at an example. 

Example 3.4. Let m = q r q 2 ■ ■ ■ q k be a product of k > 1 mutually distinct primes, and n > 1 arbitrary. 
We assume < q 2 < • • • < q k - Then we can immediately write down all elements of G,„: 

(x,- - l)(x, - 2) • • • (x,- - q k ), 
qk- (*i ~ V(Xi - 2) • • • (Xf - q k - 1 ), 
q k ■ q k - r (x, - l)(x,- - 2) • • • (x,- - q fc _ 2 ), 

q k ■ <?/<-! • ■ ■ < 12 - (*, - 1 ) (x, - 2) • • • (x, - q x ), 
in each row for all i e {1, 2, . . . , n}. 

Note that the first type of polynomial is in G m , as q k \ already contains all q,, thus m|_q/ { !. Also, we 
need to have all q k polynomial factors since, for all r < q k , q k \ r !, i.e. m \ r!. For the following 
polynomials, the argument is similar. Moreover, it is easy to see that we do not have elements in G m 
involving two or more variables, and the presented polynomials are all elements of G m . 

In this special case | G m | = k ■ n, and the maximal degree is q k . This means that the size of the basis 
is only linear in the number of variables. 

For the case k = 1, Z /q x is a field, and we obtain only the n polynomials in the top row, which are 
well-known for this case. 

We now prove the theorem: 

Proof. Let us fix m > 2, the number of variables n > 1, and an arbitrary global monomial order. 
We first show that G m is indeed a Grobner basis of / 0 . To this end, it suffices to show that (i) S m and 
hence G m is a finite set, (ii) G m c fo, and (iii) L(/ 0 ) C L(G m ), since (ii) implies the other inclusion 
L(C m ) C L(/ 0 ). 

(i) Since (a, a) e S m implies a < (m, m, m), the set is clearly finite. 

(ii) G m consists of polynomials p aa with m\_aal. Then G m c /o by Lemma 3.1. 

(iii) Let/ e L(/ 0 ) be arbitrary. Then there exist some integer N > l,/i, e Z/(m)[xi,x 2 , ...,x„] and 
fi e /o, 1 < i < N, such that 

N 

/ = ^/i,-LT(/). 

1=1 

Writing a,x" ul := LT (/■), we obtain 7n | _ ! from Lemma 3.2. Now either (a®, a,-) is already 

an element of S m . Or we can replace a, by some b , | ;i a, and/or a® by some < a® such that 
08®, b j) € S m . We can subsume both cases in saying that, for each i e {1,2,..., N), there is some 
(/3®, b j) e S m such that bjX^ w |LT (/). With appropriate polynomials g,-. 1 < i < N, this amounts to 

N 

f = J2 hi ' Si ' LT (Ppm.h,) , 

1=1 

i.e.,/ e L(C m ). 

Next, let/ e f 0 . Then, with the same argument as for the/ above, there exists a p y c e G m such 
that LT (p y ,c) | LT (/). This shows that G m is a strong Grobner basis. 
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It remains to show that G m is minimal. To this end, pick two pairs ( a , a), (fi, fa ) e S m such that 
ax^lfod*. Then a | b, a\^ m, b m, and a < fi. We need to prove that a = b and a = fi. Computing 
in Z, take a prime factor q of b and k > 1 maximal such that q fe | _ fa. Suppose q k \ a. Then aal 
would have at least one less factor q in its prime factorization than ba\. But since m | aal, we then 
had m\^b/q ■ a\\ b/q ■ fil, and b would not be minimal in (fi, b) e S m . We conclude that b\ a. We 
write this as a = d ■ b for some d | m. Now a| b, that is, m|_ a ■ c — b for some c. Putting things 
together we get bd = a\_ m |_ bed — b = b(cd — 1). Hence d\ z (cd — 1) which can only hold for d = 1, 
implying a = b. But then we must also have a = fi, since otherwise fi would not be minimal in 
(fi, b) e S m . □ 

We now show that leading terms of minimal strong Grobner bases of I 0 c Z /m[x\,x 2 , . . . , x n ] are 
unique, up to multiplication by units of Z/m. We prove this result as a consequence of a more general 
statement for ideals over arbitrary commutative rings with 1 that has, to our knowledge, not been 
stated before. (Note the similar statement in the field case; see e.g. Proposition 1.8.4 in Adams and 
Loustaunau (2003).) 

Theorem 3.5. (a) Let G,F be two minimal strong Grobner bases of an arbitrary ideal I c C[xi, 
x 2 , . . . , x n ], where C is any commutative ring with 1. Then |G| = |F|, and the sets of leading terms in 
G and F coincide up to multiplication by elements ofC, i.e., 

VgeC 3/ e F 3 c e C LT(g) = c • LT(f). (*) 

(b) In the case ofC = Z/m and I = I 0 , the ring elements c in (*) can be chosen to be units of Z/m. 

Note that the second statement holds for any ideal, if the ring C is a domain. 

Proof, (a) Starting with the proof of (*), we pick any g e G c /. Then, by the strength of F, there is 
some/ € F such that LT (/) |LT (g). Vice versa, by the strength of G, there must be some g' e G such 
thatLT (g') |LT (f). Therefore, LT (g') |LT (f) |LT (g), which implies g = g', by minimality of G. But then 
the leading monomials LM (f ) and LM (g) must also coincide, yielding the desired relation between 
LT (f) and LT (g). 

Similar to the previous argument, it is easy to see that no two distinct leading terms in F can fulfil 
a relation (*) with the same leading term in G, and vice versa. This implies the equality | {LT (g) | g e 
G}| = | {LT (f) | / e F}| which clearly amounts to |G| = |F|, by the minimality of G and F. 

(b) We first choose G = G m to be the explicitly given Grobner basis, and F any other minimal strong 
Grobner basis of I 0 c Z/m\x\, x 2 , . . . , x„]. Consider a relation as in (*), i.e., b ■ = c ■ a ■ x a , where 

(fi, b) e S m and a ■ x" denotes the leading term of some/ e F. Then b = a ■ c mod m, in other words 
m\^ac — b. Now let 5 := ged (a, m) be the maximum portion of a that divides m, that is, a = a ■ u, 
where ged (u, m) = 1 which is equivalent to u being a unit in Z/m. Since a|„ m|„ ac — b, we obtain 
a| b. 

'z 

We want to show a = b, so for a contradiction let us assume a < b.f e F c /o implies m|^aa! 
by Lemma 3.2, hence m|_aa! = afil, as the factors in a/a do not affect divisibility by m and since 
obviously a = fi. But this means that we could replace b by the smaller a and still preserve the 
condition m | _ afi !. This contradicts the minimality of bin (fi, b) e S m . Hence a = b. 

We thus arrive at the claimed relation u ■ fax' 3 = ax“, and c can be replaced by the unit u _1 e 

(Z/m)*. 

We have shown that we can relate the leading terms of any minimal strong Grobner basis F of 
fo C Z/m[x\,x 2 , . . . , x n ] to the leading terms in G m by units. By transitivity, we can now clearly 
also relate the leading terms of any two minimal strong Grobner bases by units. This concludes the 
proof. □ 

Note that an arbitrary factor c, relating two leading terms, need not necessarily be a unit. For example, 
consider the polynomial /(x, y) = 3(x — l)(x — 2) • (y — l)(y — 2) e Ci2. We may switch to 



G.-M. Greuel et al. / Journal of Symbolic Computation 46 (201 1 ) 561-570 



567 



another minimal strong Grobner basis of I 0 c Z/12[x, y], simply by replacing/(x, y) by/'(x, y) = 9 
(x — l)(x — 2) * (y — 1 ) (y — 2). Note that over Z/ 1 2 the ideals (J) and (f ') are identical. Thus, G m \ {/} U {/'} 
must still be a minimal strong Grobner basis. Now obviously LT (/') = 3 • LT (f), but 3 is not a unit in 
Z/12. 

We point out that minimal strong Grobner bases are in general not unique. This is due to the 
fact that we only consider leading terms and do not require tail reduction here. For example, in the 
case of the ideal I 0 , we can easily modify the basis G m and still obtain a minimal strong Grobner 
basis. To this end, we may pick two elements f,g e G m with LM (g) < LM (f) and replace / by 
f + g. 

Let us once again take a look at the complexity of G m , that is, the size |G m | as a function of the 
number of variables n. The discussion that followed Example 3.4 already made it clear that |G m | 
is only linear in n, when all prime factors of m are mutually distinct. In the general case when 
m = Qj 1 • q 2 2 • • ■ Qk with some e, > 1, the construction is combinatorially more complex. However, 
based on the following investigation for the practically relevant case m = q k , we conjecture that for a 
fixed m the size of G m is always of polynomial order in n. 

Since we are interested in the asymptotic behaviour of |G m | for a large n, we may assume that n is 
much larger than m = q k . We can decompose G m into the disjoint union 

Cm = U G m’ where 

0 <j<k 

G® := W • Oi - 1) • • • (*i ~ (k-j)q) | 1 < i < n} 

U {</ • (x,-, - 1) • • • (xq - Siq)(x,- 2 - 1) • • • (x, 2 - s 2 q) | 

1 < ii, h < n; i, ^ i 2 ; 1 < Si, s 2 ; s, +s 2 = k -j} 

U ■ (xq - 1) • • • (xq - q)(x, 2 -!)••• (x, 2 - q) ■ ■ ■ 

(Xi k _j - 1) • • • (x ik _j -q) | 1 <i u <n; i u ^ i v for v}, 

that is, in G„ we have the constant coefficient q j , and we have polynomials in 1 up to k — j variables. 
With hj := |Gm |, we obtain the very rough estimates 




and h = |G m | is of polynomial order of degree k in the number of variables n. 



3.3. Computing the reduced normal form of a polynomial 

After we have given a minimal strong Grobner basis of I 0 c Z /m[x\, x 2 , . . . , x„], we shall now 
turn to computing representatives ofthe residue classes in (Z/m[xi,x 2 , . . . ,x n ]) /I 0 . When we impose 
certain bounds on the coefficients of all monomials, these representatives are unique: 
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Proposition 3.6. Every residue class f e (Z/m[xi, x 2 , . . . , x n ]) /I 0 has a unique representative f e 
Z/m[xi, x 2 , . . . , x n ] of the form 



m 



f = } a„x", where 0 < a a < , for alia. 

gcd (m, a!) 

aefO,!,...,*?!— l} n & V ’ / 



Note that, whenever m\^a\, the given bound forces a a to be zero. 

Proof. Let/ e Z/m[xi, x 2 , . . . , x„] be an arbitrary polynomial. Suppose/ contains a monomial ax a 
for which a > c := —rf 1 — rr- Due to division with remainder of a by c in Z, we obtain a = k ■ c + r 

— gccKm,^!) J 

for some k e {1,2,...}, and 0 < r < c. Now, m |_ gcd ™“ ! g!l ■ In other words, m|„ cal, and p ac e I 0 by 
Lemma 3.1. 

As a consequence, / and /' := / — k • p„ c lie in the same residue class. Moreover, the coefficient 
of x“ in/' is a — k • c = r, for which the claimed bound holds. Since we have a global order on the 
monomials, we need only finitely many repetitions of the presented reduction step, in order to arrive 
at a polynomial g which also lies in the residue class of/, and the coefficients of which all satisfy the 
required bound condition. 

To prove the uniqueness of the constructed representative, assume we have two representatives 
/i,/ 2 of the residue class of/, realising all coefficient bounds. Then, by defining either g := /i — / 2 or 
g := / 2 —fi, we obtain a polynomial g e / 0 with LT (g) = ax a and 0 < a < gcd( '^ g!) . By Lemma 3.2, 
we know that m I aa ! . 

'z 

We need to show that a = 0; so for a contradiction, let us assume that a > 0. With b := gcd (m, a) 
we still have m|^t>a!, i.e., j\^al. Then also ^| z gcd (m, at) which implies m|^£> ■ gcd(m,a!). But 
b ■ gcd (m, a\) < a ■ gcd (m, a\) < m, yielding the desired contradiction. □ 

As an immediate consequence, we can count the number of polynomial functions which is the same 
as the number of residue classes in (Z/m[x u x 2 , . . . , x n ]) // 0 : 



Corollary 3.7. The number of polynomial functions ( Z/m) n — » Z/m is given by 



n = n 

q;g{ 0, l} n 



m 

gcd (m, a!) 



In comparison, the number of all functions (Z/m) n —> Z/m equals 
m (m") _ Y\ m = N ■ J~ [ gcd (m, a!). 

aefO, l,...,m— l} n ae{0, l} n 



Z/m — > Z/m 


No. of functions 


No. of polynomial functions 


m = 2 2 


256 


64 


m = 2 s 


10 616 


10 16 


m = 2 16 


|q315652 


10 52 


m = 2 32 


|q41373247567 


10 184 



Hence, if m is not prime, there are much fewer polynomial functions (Z/m) n — » Z/m than 
functions. This has the consequence that not every problem which can be modelled by functions, like 
problems coming from formal verification, can be modelled by polynomials over Z/m (cf. Wienand 
et al. (2008) where, nevertheless, polynomial ideals over Z/2 fc have been used successfully). 

Following the idea in the proof of Proposition 3.6, we are able to present a very fast algorithm for 
computing the reduced normal form, that is, the unique representative of a residue class in the ring 
Z/m[xi , x 2 , . . . , x„] module I 0 . (see Shekhar et al. (2005) for Z/2 k )\ 
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Algorithm 1 Reduced normal form in Z/m[xi, x 2 , . . . , x n ] with respect to 1 0 
Input: f £ Z/m[x^,x 2 , . . . , x n ] a polynomial, > any monomial order on Z/m[X], x 2 , . . . , x n ] 
Output: h the reduced normal form of/ with respect to / 0 
h:= 0 

while/ ^ 0 do 

ax" := LT (f ) 
c ■= — - — 

gcd(m,a!) 

solve a = k ■ c + r with k £ N and 0 < r < c 
h:=h + rx" 

/ := / - k ■ p ax - rx" 

end while 
return h 



Note that the algorithm makes sure that / + h will always represent the same residue class, as 
p ax £ Iq. Since initially h = 0, this class must be the residue class off. After termination, which is 
ensured by the global order, h consists only of terms with appropriate coefficient bound, i.e., h must 
be the unique representative as given in Proposition 3.6. 

3.4. Computing minimal strong Grobner bases over different rings Z/m 

The simple structure of minimal strong Grobner bases provides us with a recursive means to 
construct G m from bases for smaller m. We are especially interested in computing G M from the 
elements of the already computed set G m , where M = q ■ m with q a prime number. The following 
pairwise disjoint decomposition of G M is easy to verify: 

Cm — {Pa,a I Pa, a C m , (CX , a) £ Sjvj} 

^ { Pa.aq I Pa, a ^ C m , (CX , Qq) £ Sm } 

U {p a +/j,h I Pa, a € G m , 3 /8 £ B(a, a, q) 3 b\ z M : (a + /3, b) £ S M }, 

where B(a, a, q) denotes the set of all /3 >■ (0, 0, . . . , 0) such that (a + P)l contains one more prime 
factor q than aal. 

This decomposition says that we may already directly find elements of G M in G m . Or, secondly, we 
may build an element of G M by multiplying an element of G m by q. Besides altering the coefficient 
only, we can also try to enlarge the exponent vector of some p ax £ G m such that the new exponent 
factorial (a + fi)\ contains one more prime factor q than aal. However, enlarging the exponent may 
introduce many more divisors of JVJ, so that in general we need to adjust the coefficient. It is easy to 
see that once a suitable /3 is found, we can set b = gcd|M i ^ g+ ^ )!) .The search for suitable /3 can obviously 
be limited to the set defined by the condition ff < (q, q, . . . , q), that is, we know a finite superset of 
B(a, a, q). 

In practice, all three cases may occur. The following examples are numbered according to the order 
in the above decomposition. (The number of variables, n, equals 2.) 

Example 3.8. 1. G 3 c G 6 , since 3! = 6 already contains all necessary factors; see Example 3.4 (and 
the remark regarding k = 1) to recall the elements of C 3 . 

2. With q any prime, we have P( 3 0 ), 2 £ G12 andp, 3i0 ).2 ij € Gi 2 . g . 

3. We have 6(x — l)(x — 2)(y — l)(y — 2) e G24. We try to construct an element in C 2 4. 3 by enlarging 
the product of x and y terms. Since 6 • 2! • 2! contains one prime factor 3, we try to move to the 
target product (x— l)(x — 2) (x — 3)(y — l)(y — 2)(y — 3) which realizes one more factor 3 because 
3 2 l z 3! ■ 3!. Now b = gcd(7 7 2 2 3 ,. 3!) = 2 and hence 2(x- l)(x - 2) • (x - 3)(y- l)(y - 2)(y - 3) e G 72 . 

The above decomposition of G M , and the structure of G q for a prime q as discussed in Example 3.4, give 
rise to the following algorithm. 
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Algorithm 2 RecComp(M), Recursive computation of G M 
Input: M € {2,3, . . .} 

Output: G m 

pick any prime factor q of M 

if M = q then 

A := {q ■ e,- | 1 < i < n}, where the e, are the unit vectors in N n 
G:= {p a ,i I a eA} 

else 

m := M/q 
H :=RecComp(m) 

G:={} 

for all p a a € H do 

if (a, a) € S M then 
G := G U {Pq' i a } 

else 

G := G U {Po-.a q} 

for all /3 € B(a, a, q) C {/3 | (0, 0, . . . , 0) -< f) < (q, q, . . . , q)} do 
b ■= — 

gcd (Mfa+py.) 

G := G U {p a +p,b} 

end for 
end if 
end for 
end if 
return G 



References 

Adams, W., Loustaunau, P., 2003. An introduction to Grobner bases. In: Graduate Studies in Mathematics, AMS. 

Carlitz, L., 1964. Functions and polynomials (mod p n ). Acta Arithmetica 9, 67-78. 

Greuel, G.-M., Pfister, G., Schonemann, H., 2009. Singular 3.1.0— a computer algebra system for polynomial computations. 
http://www.singular.uni-kl.de. 

Halbeisen, L., Hungerbuhler, N., Lauchli, H., 1999. Powers and polynomials in Z /m. Elemente der Mathematik 54 (3), 118-129. 

Hungerbiihler, N., Specker, E., 2006. A generalization of the smarandache function. Integers: Electronic Journal of Combinatorial 
Number Theory 6. 

Kempner, A.J., 1921. Polynomials and their residue systems. American Mathematical Society Translations 22, 240-266. 

Greuel, G.-M., Wedler, M., Wienand, O., Brickenstein, M., Dreyer, A., 2008. New developments in the theory of Groebner bases 
and applications to formal verification. Journal of Pure and Applied Algebra. 

Shekhar, N., Kalla, P., Enescu, F., Gopalakrishnan, S., 2005. Equivalence verification of polynomial datapaths with fixed-size bit- 
vectors using finite ring algebra. In: ICCAD ’05: Proceedings of the 2005 IEEE/ACM International Conference on Computer- 
aided Design. IEEE Computer Society, Washington, DC, USA, pp. 291-296. 

Singmaster, D., 1974. On polynomial functions (mod m). Journal of Number Theory 6, 345-352. 

Smarandache, F., 1980. A function in the number theory. In: Analele Univ. Timisoara, Fascicle 1, XVIII. pp. 79-88. 

Wienand, O., 2010. Ph.D. thesis. Kaiserlautern, Germany (in preparation). 

Wienand, Oliver, Wedler, Markus, Stoffel, Dominik, Kunz, Wolfgang, Greuel, Gert-Martin, 2008. An algebraic approach for 
proving data correctness in arithmetic data paths. In: CAV’08: Proceedings of the 20th International Conference on 
Computer Aided Verification. Springer-Verlag, Berlin, Heidelberg, pp. 473-486. 



